exploit-db-mirror/exploits/android/dos/40945.txt

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=958

The following code in frameworks/opt/net/wifi/service/jni/com_android_server_wifi_WifiNative.cpp doesn't validate the parameter params.num_bssid, and then copies that number of elements into a stack-allocated wifi_bssid_hotlist_params structure. I don't think this can be reached from an untrusted_app context; but it can be reached from a context with system_api_service access; so a compromised platform app or one of several lower privileged system services (bluetooth, nfc etc.).

static jboolean android_net_wifi_setHotlist(
        JNIEnv *env, jclass cls, jint iface, jint id, jobject ap)  {

    JNIHelper helper(env);
    wifi_interface_handle handle = getIfaceHandle(helper, cls, iface);
    ALOGD("setting hotlist on interface[%d] = %p", iface, handle);

    wifi_bssid_hotlist_params params;
    memset(&params, 0, sizeof(params));

    params.lost_ap_sample_size = helper.getIntField(ap, "apLostThreshold");

    JNIObject<jobjectArray> array = helper.getArrayField(
            ap, "bssidInfos", "[Landroid/net/wifi/WifiScanner$BssidInfo;");
    params.num_bssid = helper.getArrayLength(array);

    if (params.num_bssid == 0) {
        ALOGE("setHotlist array length was 0");
        return false;
    }

    for (int i = 0; i < params.num_bssid; i++) { // <--- no validation on num_bssid
        JNIObject<jobject> objAp = helper.getObjectArrayElement(array, i);

        JNIObject<jstring> macAddrString = helper.getStringField(objAp, "bssid");
        if (macAddrString == NULL) {
            ALOGE("Error getting bssid field");
            return false;
        }

        ScopedUtfChars chars(env, macAddrString);
        const char *bssid = chars.c_str();
        if (bssid == NULL) {
            ALOGE("Error getting bssid");
            return false;
        }
        parseMacAddress(bssid, params.ap[i].bssid); // <--- params.ap has 128 elements.

        mac_addr addr;
        memcpy(addr, params.ap[i].bssid, sizeof(mac_addr));

        char bssidOut[32];
        snprintf(bssidOut, sizeof(bssidOut), "%0x:%0x:%0x:%0x:%0x:%0x", addr[0],
                 addr[1], addr[2], addr[3], addr[4], addr[5]);

        ALOGD("Added bssid %s", bssidOut);

        params.ap[i].low = helper.getIntField(objAp, "low");
        params.ap[i].high = helper.getIntField(objAp, "high");
    }

See attached for a POC which causes a crash before the function with the corrupted stack frame returns and checks the stack cookie.

LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
[---------------------------------------------------------------------REGISTERS----------------------------------------------------------------------]
*X0   0x80000000 <-- 0x0
*X1   0x0
*X2   0x707882c3e0 <-- u'c0:1d:b3:3f:01:...'
*X3   0x3
*X4   0x709bf05fc0 <-- stp    x28, x27, [sp, #-0x60]!
*X5   0x709c1f07b0 (art::gJniNativeInterface) <-- 0x0
*X6   0x709bf27034 <-- cbz    x2, #0x709bf27040 /* u'b' */
*X7   0x284801ff284800ff
*X8   0xc01d0142c01d0229
*X9   0x1
*X10  0xc01d0142c01d0141
*X11  0x7082dff4e8 <-- 0x41013fb31dc0
 X12  0x0
*X13  0x0
*X14  0x0
*X15  0x33511e057221be
*X16  0x709f0035a0 (pthread_getspecific@got.plt) --> 0x709efaad5c (pthread_getspecific) <-- movz   w8, #0x8000, lsl #16
*X17  0x709efaad5c (pthread_getspecific) <-- movz   w8, #0x8000, lsl #16
*X18  0x0
*X19  0x707882c3e0 <-- u'c0:1d:b3:3f:01:...'
*X20  0x7082dfe0a0 --> 0x70833c1470 --> 0x7083381c0c (android::JNIObject<_jobject*>::~JNIObject()) <-- adrp   x2, #0x70833c2000
*X21  0x7082dfe0b8 --> 0x70833c1490 --> 0x7083381c70 (android::JNIObject<_jstring*>::~JNIObject()) <-- adrp   x2, #0x70833c2000
*X22  0x7082dfe078 <-- 0x0
*X23  0xb1da807287fa8cf
*X24  0x709f00e86c (je_tsd_tsd) <-- 0xa880000000
*X25  0x7082dfe8d8 <-- u'c0:1d:b3:3f:1:4...'
*X26  0x200011
*X27  0x7082dfe0d0 <-- 0x100000000001
*X28  0x707882c3e0 <-- u'c0:1d:b3:3f:01:...'
*SP   0x70815310f0 <-- 0x0
*PC   0x709efaada8 (pthread_getspecific+76) <-- ldr    x10, [x10, #0xe0]
[------------------------------------------------------------------------CODE------------------------------------------------------------------------]
 => 0x709efaada8L <pthread_getspecific+76>    ldr    x10, [x10, #0xe0]
    0x709efaadacL <pthread_getspecific+80>    cmp    x10, x9
    0x709efaadb0L <pthread_getspecific+84>    b.ne   #pthread_getspecific+56       <0x709efaad94>
...
    0x709efaad94L <pthread_getspecific+56>    mov    x0, xzr
    0x709efaad98L <pthread_getspecific+60>    str    xzr, [x8]
    0x709efaad9cL <pthread_getspecific+64>    ret

    0x709efaada0L <pthread_getspecific+68>    add    x10, x10, x8, lsl #4
    0x709efaada4L <pthread_getspecific+72>    add    x8, x10, #0xe8
 => 0x709efaada8L <pthread_getspecific+76>    ldr    x10, [x10, #0xe0]
    0x709efaadacL <pthread_getspecific+80>    cmp    x10, x9
    0x709efaadb0L <pthread_getspecific+84>    b.ne   #pthread_getspecific+56       <0x709efaad94>
[------------------------------------------------------------------------CODE------------------------------------------------------------------------]
155	in bionic/libc/bionic/pthread_key.cpp
[-----------------------------------------------------------------------STACK------------------------------------------------------------------------]
00:0000| sp  0x70815310f0 <-- 0x0
...
04:0020|     0x7081531110 --> 0x3f800000 <-- 0x0
05:0028|     0x7081531118 <-- 0x0
...
[---------------------------------------------------------------------BACKTRACE----------------------------------------------------------------------]
>  f 0       709efaada8 pthread_getspecific+76
   f 1       709efd2394 je_free+68
   f 2       709efd2394 je_free+68
   f 3       709efd2394 je_free+68
   f 4       709efd2394 je_free+68
   f 5       7083387d10
   f 6       7083387d10
   f 7       7083387d10
Program received signal SIGSEGV (fault address 0x1d0142c01d0221)
pwndbg> bt
#0  pthread_getspecific (key=<optimized out>) at bionic/libc/bionic/pthread_key.cpp:160
#1  0x000000709efd2394 in je_tsd_wrapper_get () at external/jemalloc/include/jemalloc/internal/tsd.h:609
#2  je_tsd_get () at external/jemalloc/include/jemalloc/internal/tsd.h:609
#3  je_tsd_fetch () at external/jemalloc/include/jemalloc/internal/tsd.h:614
#4  je_free (ptr=0x707882c3e0) at external/jemalloc/src/jemalloc.c:1932
#5  0x0000007083387d10 in _JNIEnv::ReleaseStringUTFChars (utf=0x707882c3e0 "c0:1d:b3:3f:01:"..., string=0x200011, this=0x7091fd2b00) at libnativehelper/include/nativehelper/jni.h:851
#6  ScopedUtfChars::~ScopedUtfChars (this=<synthetic pointer>, __in_chrg=<optimized out>) at libnativehelper/include/nativehelper/ScopedUtfChars.h:45
#7  android::android_net_wifi_setHotlist (env=0x7091fd2b00, cls=<optimized out>, iface=<optimized out>, id=0x690a3633, ap=<optimized out>) at frameworks/opt/net/wifi/service/jni/com_android_server_wifi_WifiNative.cpp:799
#8  0x000000709b1a084c in ?? ()

Fixed in https://source.android.com/security/bulletin/2016-12-01.html


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40945.zip